Method for authenticating the user of a data station connected to a computer system

ABSTRACT

In a process for authenticating a user using a data station (16) in relation to a computer system (14) connected to the data station (16), a first value z is determined in the computer system (14) from an identification word (u) stored for the user in the computer system and a random number r generated in the computer system, and a second value y is determined in the computer system (14) from the password a given by the user and the random number r. The password a is encoded before being sent to the computer system (14) and coded there by a one-way function (30). As a result of these measures, the password a does not appear in the clear text at any point in the data transmission.

FIELD OF THE INVENTION

The invention concerns a method for authenticating the user of a datastation connected to a computer system.

BACKGROUND OF THE INVENTION

The inventive method is concerned very generally with the problem ofauthentication in computer systems which are connected with a pluralityof data stations. The data stations can be computers with programs,personal computers or dedicated data stations. As soon as a user orsubscriber wants to make connection with a computer through his datastation he will be required by the computer to authenticate himself by apassword. He transmits the password to the data station which passes itas information to the computer. The involved problem is that anunauthorized user can so modify his data station that he receives a copyof the information sent from the first data station to the computer andwithdraws it from the data station. Thereafter the unauthorized user canbe authenticated in place of the authorized user because he knows thepassword. A further problem of this type of authentication resides inthat a privileged user who has unlimited access to the data in thecomputer can acquire the password of a user by reading it from thememory.

In a first known authentication method, in the password announcement theunencoded password is transmitted from the data station of the user tothe computer system. There the password is encoded by means of a one-wayfunction and stored in a data file. In usage of the password, that is inthe authentication, the password sent in clear text from the datastation to the computer system is likewise encoded in the computersystem by a one-way function. By "one-way function" is meant a functionwhich is easy to calculate but for which no method exists forcalculating its reverse function at reasonable expense.

The resulting value is subsequently compared with the encoded passwordstored in the data file. Upon identity the user is taken asauthenticated. In this method it is not possible to gain knowledge ofthe password by reading out the password data file. However, thepassword transmitted in clear text to the computer system can be tappedand subsequently improperly used.

An improvement can be achieved if the authentication takes place in adialog between the data station and the computer system. In connectionwith this it has already been proposed to provide a symmetricalciphering process. In it in the announcement of the password 20 thepassword is stored in a protected data file in clear text. Forauthentication a random number is created in the computer system by arandom number generator, which random number is encoded by an encodingunit and sent to the data station. This information is decoded in adecoder with the password submitted by the user, is modified by anaddition, encoded with the password by the encoder, and returned to thecomputer system. In the computer system the information is decoded by adecoder and compared with the random number likewise modified by theaddition, which must result in equality using a comparator. Adisadvantage of this solution is likewise that the password isobtainable by a privileged user, such as a system manager or equipmenttechnician, who can read out the corresponding data file. Therefore inthis case the password can also be stolen

Finally, a method has also been developed that requires the storage ofat least two values from the user. These keys are created by a keyingcentral unit according to a given method and are not freely selectableby the user, so that the user cannot choose a mnemonic password as incustomary password systems. Since the user for security reasons is notpermitted to write down the password, this method is practical only inconnection with chip cards.

The invention has as its object the provision of a method of thepreviously mentioned type which offers higher security with simplehandling.

SUMMARY OF THE INVENTION

This object is solved with a method wherein the password is never sentin clear text over the connecting lines between the data station and thecomputer system. It can therefore not be tapped and improperly used.

An increased security is obtained in that the random number before itstransmission to the data station is encoded with a one-way function. Inorder to provide a single way to create values under the previouslydescribed assumptions in the computer system and in the data station,which values can be compared with one another, it is provided thatcommutative one-way functions are used for encoding the password and forcombining the encoded value with the random number in the computersystem on one side and for encoding the random number and for itscombination with the encoded password in the data station on the otherside, as is explained hereinafter in further detail.

The combining and/or encoding steps by means of one-way functions canalso be repeated at least one time.

To be secure against the emulation of a computer system (in place of theactually provided computer system), the method can be expanded on bothsides of the authentication so that the different method steps in thecomputer system and in the data station run simultaneously in nestedfashion.

Another extension is characterized in that the computer system encodes apassword h and transmits the results v to the data station, where it isencoded with a random number s formed in the data station to a valuev^(s) that the random number s is encoded and transmitted to thecomputer system, that from the encoded random number p and the passwordh of the computer system an encoded value q is formed which istransmitted to the data station and in that the relationship of the twovalues q and v^(s) is evaluated. By this expansion an authentication ofthe computer system is also achieved. For determining the authenticity acomparison of the transmitted encoded values with the self-ascertainedvalues is carried out both on the computer side and on the user side.Also in this reciprocal authentication at no moment can the secretpassword by tapped since it does not appear in clear text on the dataconnections.

A further development of the previous embodiment is characterized inthat the transmission of the encoded random numbers x, p takes placewith the transmission of an identifying value. Before the datacommunication between the computer system and the user takes place eachside informs itself by reference to previously exchanged lists whetherthe instant identification value is registered. If the test turns outpositive the data exchange can be carried out. By means of thesemeasures the security of the data transaction is still furtherincreased.

There exists also the possibility of not storing in the computer systemthe value created by the encoding of the password in the announcement,the so-called authenticator, but to transmit it to the computer systemtogether with the identification, so that the authenticator is verifiedby a signature process of a type known in itself. Therefore everyattempt to gain the authenticator by reading out the corresponding datain the computer system, and from these circumstances to gain thepassword, is thwarted.

The operations with the encoding functions can take place in a sealedunit in which the secret key resides and from which it cannot be readout. Only the authenticator is readable in this case electronically oroptically. One such unit can for example by formed as a chip card.

As a one-way function there can for example be used a discreteexponentiation modulo an integral number or a polynomial expansion of anumber ring. The mathematical bases for this are known in themselves.With them the calculations are executed modulo a large prime number q,so that only the numbers from zero to this large number q appear. Tothis modulo a further number w is determined which is the primitiveelement of the Galois-field GF (q). This means that the exponents w^(i)are all different from w, so long as i is smaller than q. Since q is aprime number each number w q is a primitive element.

Alternatively to this the calculating method can use polynomialarithmetic modulo to an irreducible polynomial of degree n. Advantagesand disadvantages are sufficiently discussed in the literature and arenot the subject of the present invention.

Under these edge conditions the function f(x,y)=x^(y) is simple tocalculate, but the inverse function f⁻¹ l(x,z)=log_(x) z is onlycalculatable with large computing effort. For q approximately 2²⁰⁰ theexponentiation requires about 200 multiplications (of 200-bit values).The best known method of logarithmic formation however requires 10⁹multiplications. This defines the property of a one-way function.Because f(f(x,y),z)=(x^(y))^(z) =x.sup.(^(y) z)=(x^(z))^(y) =f(f(x,z),y)the exponentiation is right-commutative.

BRIEF DESCRIPTION OF THE DRAWINGS

The following description explains in connection with the accompanyingdrawings the invention by way of exemplary embodiments. They show:

FIG. 1--An operating schematic of the method according to the inventionby way of a first embodiment.

FIG. 2--An operating schematic of the inventive method by way of asecond embodiment.

FIG. 3--A schematic representation of the procedure in which thecomputer system is also authenticated.

FIG. 4--A program schematic according to FIG. 3 in which on both theside of the computer and of the user a session key is formed forauthentication.

FIG. 5--A program schematic in which the session key is formed accordingto the DES-method.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

The method illustrated in FIG. 1 is intended to hinder the eavesdroppingof the password during an authentication procedure. In it a distinctionis made between the password announcement, a one-time procedure, and theutilization of the password or authentication, a desirably repeatableprocess. In the password announcement the selected password from theuser 10 is entered into a confidential file 12 of a computer 14 over aprotected channel, for example by a messenger. If the user subsequentlywants to call up a service of the computer 14 over one of the datastations connected with it his connection privilege is examined(authentication). This takes place in such way that in a randomgenerator 18 a random number r is formed in which for example the timeof day is multiplied with the process sequence number. This randomnumber r is transmitted over a channel 20 to the data station 16. At thedata station, after request for the password a, in the functiongenerator 22 the two position one-way function "modular exponentiation"is realized by forming the value x=r^(a). This value x is conveyed backto the computer 14 over a channel 24. In the computer 14, simultaneouslywith the process in the data station 16, through usage of the password astored in the data file 12 and the random number r the value r^(a) isformed by a function computer 26. This value and the value x arecompared with one another in a comparator 28. In the event of identitythe user is taken as validly authenticated. Because of the one-waycharacteristic of the modular exponentiation the password cannot beascertained with acceptable expense from the data transmitted over thechannels 20 and 24. Thus the password a can not be ascertained bytapping the connection between the data station 16 and the computer 14.However, the password is stored in the computer 14 for access by aprivileged user.

To also eliminate this source of misuse the method is expanded accordingto FIG. 2. Similar parts are again given the same reference numbers. Incontrast to the solution according to FIG. 1 the password in thepassword announcement is encoded in the data station 16 by means of afunction computer 30 performing a one-way function whereby theauthentication or value u=w^(a) is calculated. This authentication valueu which contains the password a only in an encoded form, is conveyed tothe computer 14 and stored in its data file 12.

Further, in the authentication procedure the random number r is encodedin a function computer 32 before its transmission to the data station16, where the value x=w^(r) is calculated. This encoded value x istransmitted over the channel 20 to the data station 16.

Then in the authentication procedure the value z=u^(r) =w^(a) r isformed in the function computer 26 of the computer 14. The value y=x^(a)=w^(r) a =w^(a) r is formed in the function computer 22 of the datastation 16. It will be understood that despite the different calculationpaths the values z and y are identical. In the case of identity of thevalues y and z the user is again taken as authenticated. In the methodaccording to FIG. 2 neither during the password announcement nor duringthe password utilization is it possible by tapping the channels betweenthe data station 16 and the computer 14 to ascertain the password a.Also, knowledge of the contents of the data file 12 does not lead toknowledge of the password a. The authenticator u and the value w can beknown. Nevertheless, it is not possible with reasonable expense toascertain the password a.

The calculations of the data station can be entirely realized by a chipcard so that the user need not confide his password to a machine overwhich he has no influence and which can be manipulated.

In order to be protected against the simulation of a computer system themethod can easily be expanded to reciprocal authentication wherein thetwo processes run simultaneously and the momentary communication blockscarry the information of both processes. The number of communicationsteps between the computer and the data station is therefore notincreased.

In this embodiment, whose procedural method is schematically illustratedin FIG. 3, a first computer 44, designated as "host" hereinafter,selects a secret password h. The second computer provided for thecommunication, referred to hereinafter as "user" 46, selects the secretpassword a. During the preparatory phase the user 46 forms byapplication of a one-way function the non-secret key u=w^(a). Thenon-secret key u is subsequently conveyed to the host 44. Likewise, thehost by application of a one-way function forms the non-secret keyv=w^(h). Subsequently the non-secret key v is transmitted from the host44 to the user 46. The transmitted key v is stored on the user side in apredetermined data area 48 and the transmitted key u is stored on thehost side in a predetermined data area 42.

In the following the reciprocal authentication is described. First, boththe host 44 and the user 46 form a random number in a random numbergenerator 50 or 40. In accordance with the example of FIG. 3, on theside of the host 44 the random number is the number r, and on the sideof the user 46 the random number is the number s. The random number s isencoded to the value p=w^(s) using a one-way function. Subsequently thisvalue p together with an identification A is transmitted to the host 44.An analog of this is carried out in the host 44. It, using the one-wayfunction forms the value x=w^(r) and transmits this value together withan identification H to the user 46.

Each side now uses on its received value x or p its secret password a orh. This means on the user side that the value y=x^(a) is formed, andthis value is transmitted back to the host 44. The host forms the valueq=p^(h) and sends the value q to the user. On the user side a test isnow made in a comparator block 52 of whether the value q is identical tothe value v^(s). On the side of the host computer a test is made inanother comparator block 54 of whether the value y is identical to thevalue u^(r). If these mentioned values agree with one another the host44 and the user 46 are clearly authenticated.

To secure authentication of subsequent communications, for examplethrough the use of a symmetrical method such as the known DES-method,the use of a session key is necessary. One such key can, for example, beformed in accordance with the method of Diffie and Hellmann. Adisadvantage of these known methods however is that an intruder duringthe moment of waiting for authentication can through an activeintervention influence the formation of the key to his own benefit. Inthe following a method will be described which avoids this disadvantageand builds onto the method described in connection with FIG. 3. In thismethod a session key is created from the already exchanged data so thatit cannot be ascertained by an intruder.

The course of the formation of a session key is schematicallyillustrated in FIG. 6 by building onto the method steps which havealready been explained in connection with FIG. 3. Similar parts aresimilarly designated in these figures. The host 44 forms from the valuesr and p, using a one-way function, the value k_(s) =p^(r) =w^(sr). In ananalogous way the user 46 forms from the values x and s the value k_(s)=x^(s) =w^(rs). The values k_(s) formed on both sides clearly agree withone another. They can be used for encoding the communication. Anintruder is not able to ascertain this session key either byeavesdropping the data connection between the user 46 and the host 44 orby an active intervention on the user side or on the side of the host44.

If it is known that in the communication between the host 44 and theuser 46 a session encoding should be used for the purpose ofauthentication, the previously described method can be furthersimplified. In FIG. 5 such an expansion is schematically illustrated.The starting point for the steps illustrated in FIG. 5 is the methodalready described in connection with FIG. 3. The references of FIG. 3are maintained. In the method of FIG. 5 the values q and y are notdirectly conveyed to the other sides, but are used as keys for thesymmetrical session encoding.

The symmetrical encoding takes place on the side of the user computer 46in the encoder 60 in accordance with the DES-method. As input values forthe encoding there taking place the key value y is used and for theidentification of the computer user 46 its name A is used. The result ofthe encoding is sent at the host 44 to the decoding block 62. There,using the value u^(r) the decoding of the transmitted results takesplace and the value A, that is the identification of the user 46, isrecaptured. The host then compares this value A with values known to itcontained in an identification list and determines the authenticity ofthe user 46.

In an analogous way the authenticity of the host is determined on theuser side. In encoder 64 the encoded value q is encoded with the hostidentification H according to the DES-method and the results are sent tothe decoder block 66 on the user side. This decoder decodes theinformation sent to it using the encoded value v^(s) and recaptures thehost identification H. In this method the keys appear at no moment inclear text on the data conductors, so that the employed session keyremains secret to outsiders.

During the preparatory phase, in which the user 46 transmits the value uto the host 44 and which stores it there, in a further expansion thevalue pair, consisting of the name A and the password a can betransmitted with a digitally provided signature, for example accordingto the scheme of El Gamal, which is described in "A Public KeyCryptosystem and a Signature Scheme Based on Discrete Logarithms",IEEE-IT 31 (1985), Pages 469-472. In the authentication the user sendstogether with its name A also the certified package (A, a) cert. Thismethod variation is useful if a user communicates with several differentcomputer systems. Then the authenticator is sealed by an admissionsauthorizer.

What is claimed is:
 1. A computer implemented method for authenticatingthe user of a data station (16) connected to a computer system (14),said method comprising the steps of encoding a password a inputted fromthe user by a one-way function generator (30) to form an authenticationword u, transmitting said word u to said computer system (14) forstorage therein, in response to said authentication word u stored insaid computer system (14) for the user and a random number r generatedin the computer system by means of a function generator (26) generatinga first value z as a function of u and r, generating a word x byencoding said random number r by a one-way function generator (32) insaid computer system (14), transmitting said word x to said data station(16), in the data station (16) in response to said password a input fromthe user and said word x generating a second value y by a one-wayfunction generator (22), transmitting the value y to the computer system(14), and in the computer system (14) evaluating the relationship of thetwo values z and y to one another for authenticating the user of thedata station (16).
 2. A method according to claim 1 furthercharacterized by using commutative one-way functions to encode thepassword a by said function generator (30) to form said word u, tocombine said word u with said random number r in said function generator(26), to encode said random number r by said function generator (32),and to combine the encoded random number r with the unencoded password ain said function generator (22).
 3. A method according to claim 1further characterized in that as a one-way function the discreteexponentiation modulo function with an integer value or a polynomialexpansion of a number ring is used.
 4. A method according to claim 1further characterized by carrying out a reciprocal authentication ofsaid data station and computer system by, in addition to authenticatingsaid password a input from a user to said data station by the steps ofclaim 1, also authenticating a password h input from said computersystem by using the steps of claim 1 with said data station and saidcomputer system having roles reversed from those of claim 1, the stepsof claim 1 and the steps of said reciprocal authentication of saidpassword h being run nestedly simultaneously.
 5. A method according toclaim 4 further characterized by the carrying out of said authenticationof said password h including the steps of encoding said password h insaid computer system to produce a result v, transmitting said result vto said data station and encoding it there with a random number s formedin the data station (46) to produce a value v^(s), encoding the randomnumber s in said data station to produce the result p, transmitting p tothe computer system (44), in the computer system forming from theencoded random number p and the password h an encoded value q,transmitting the value q to the data station (46), and evaluating insaid data station the relationship of the two values q and v^(s) withrespect to one another.
 6. A method according to claim 5, furthercharacterized in that for the encoding one-way functions are used.
 7. Amethod according to claim 5 further characterized in that thetransmitting of the values x, p each takes place with the accompanyingtransmission of an identification value (H or A).
 8. A method accordingto claim 5 further characterized by forming by a one-way function in thecomputer system (44) from the random number r and the encoded randomnumber p transmitted from the data station (46) an encoded value k_(s)=p^(r), and using said value k_(s) =p^(r) as a session key.
 9. A methodaccording to claim 8 further characterized by forming by a one-wayfunction in the data station (46) from the random number s and from theencoded random number x transmitted from the computer system (44) anencoded value k_(s) =x^(s), and using said value k_(s) =x^(s) as asession key.
 10. A method according to claim 5 further characterized inthat the second value y is used to encrypt a user identification Aaccording to the DES-method and in the computer system (44) decryptingit using said first value z, and that the encoded value q of thecomputer system (44) is used to encrypt a computer system identificationH according to the DES-method, and in the data station (46) decryptingsaid encrypted value H using the value v^(s).
 11. A method according toclaim 1 further characterized by transmitting said authentication word uto the computer system (14) simultaneously with an identification valueA, and verifying said word u through a signature process.
 12. A methodaccording to claim 1 further characterized in that the encodingprocesses take place in a sealed unit (chip card), in which the secretkey (password) resides in a non-read outable way, with saidauthentication word u being readable solely electronically or optically.13. A method as defined by claim 1 further characterized by having saidfunction generator (26) generate the function z=u^(r), by having saidfunction generator (30) generate the function u=w^(a), by having thefunction generator (32) generate the function x=w^(r), and by having thefunction generator (32) generate the function y=x^(a).